Skip to content

Posts tagged ‘cache’

27
Sep

CloudFlare Adds IPv6 Proxy Functionality

CloudFlare’s newly announced IPv6 support brings much more than just the ability to provide their caching and security features to IPv6-based websites. A few weeks ago CloudFlare co-founder Matthew Prince cryptically announced that they were working on a new groundbreaking feature. Whilst IPv6 is a great addition, IPv6 support alone is not what makes this new feature as cool as it is.

The main issue with IPv6 today is not the fact that ISP’s haven’t made the switch yet – this will be a fairly simple process – but rather that most websites themselves don’t yet support IPv6. This is one of the main reasons why ISPs don’t want to go full IPv6 – most content would be inaccessible to their customers. What CloudFlare have done is to make all current IPv4 CloudFlare-enabled sites accessible to IPv6-only clients, even if those websites don’t have IPv6 addresses. Because CloudFlare acts as a proxy, they simply add their own IPv6 address to the DNS of CloudFlare-enabled sites, allowing them to receive requests for those sites. Now all they have to do is serve up exactly the same cached content, and for everything else, proxy the request over onto IPv4. To make things even better, it works both ways, allowing IPv4-only clients to access IPv6-only websites, and vice-versa.

CloudFlare allows you can choose between two options: Full Mode which will enable IPv6 on all subdomains that are CloudFlare-enabled, or Safe Mode which will automatically create specific IPv6-only subdomains (e.g. www.ipv6.yoursite.com). You do not need to change any of your DNS settings. After it is up and running, you can test your IPv6 compatibility and get a badge for your site (mine’s at the bottom of the page).

I was able to take part in CloudFlare’s beta for this new feature and it works great. As you can see from the Security Generation host information below, on top of CloudFlare’s two IPv4 IPs, they’ve now added two IPv6 IPs.

securitygeneration.com has address 173.245.60.99
securitygeneration.com has address 199.27.135.32
securitygeneration.com has IPv6 address 2400:cb00:2048:1::adf5:3c63
securitygeneration.com has IPv6 address 2400:cb00:2048:1::c71b:8720

The IPv6 transition can now go ahead… Security Generation will be available when we get there ;)

As of today all CloudFlare members can now enable IPv6 support on the Settings page for the relevant domain(s). To enable ‘Automatic IPv6’ on your site, log in to CloudFlare.com > My websites > Settings (pull down menu) > CloudFlare Settings > Automatic IPv6: On.

Hit the jump to see CloudFlare’s funky new IPv6 infographic.

Read moreRead more

5
May

iPhone/iPad iOS 4.3.3 Fixes Location Tracking Bugs

Following the recent over-hyped “location tracking scandal“, Apple has released iOS 4.3.3 which fixes bugs in the Location Services on iPhone and iPad devices that caused them to store excessive location information. As detailed by Apple’s Q&A on Location Data, the location data stored on iOS devices (and backed up by iTunes) are merely a subset of Apple’s crowd-sourced location database of Wifi hotspots and cell towers, used to facilitate Location Services when GPS is unavailable or unreliable. The bugs were causing iOS to download this location cache even if Location Services were turned off, and to store the cache indefinitely, instead of being regularly purged.

This update contains changes to the iOS crowd-sourced location database cache including:

  • Reduces the size of the cache
  • No longer backs the cache up to iTunes
  • Deletes the cache entirely when Location Services is turned off

It’s nice to see Apple resolve this issue so swiftly, and these changes will help improve the privacy of iPhone and iPad users, regardless of whether they use Location Services. The only thing I would have added if I were Apple, is the ability for the user to clear the location cache in the device settings. It’s a button that could be easily added in Settings > Location Services.  Just sayin’!

26
Apr

Everything You Need to Know About the iPhone Tracking ‘Scandal’ [Updated]

Seeing as I cover OSX/iOS security and privacy, I figured it’s about time I weighed in on this whole iPhone/iPad tracking ‘scandal’. I have to admit I was surprised when I first heard of the iPhone storing location data, especially that it does so with Location Services turned off. This issue is not new, however, and was described in a fair amount of depth by Alex Levinson several months ago. What has made it so popular this month is the release of the iPhoneTracker app, developed by Pete Warden and Alasdair Allan, that creates a visual map of your visited locations. I promptly tested iPhoneTracker, and sure enough it showed a bunch of areas that I’d visited. Upon closer inspection, however, I noticed that it didn’t specifically geolocate me in two places where I’d spent a lot of time; namely home and work. On top of that, there were a number of locations I’d never even been to.

[Updated] According to the info recently published by Apple, this stored location data is not the location of the iPhone itself, but rather a subset of crowd-sourced location information for local cell towers and wifi networks, which is only used to rapidly provide the user with location information. Full details at the bottom of this post. Read moreRead more

19
Oct

Persistent Tracking using Supercookies and Evercookies

Normal websites use cookies to keep track of their visitors, either to remember that they are logged in, track statistics, or a number of other purposes. Sites can usually only track users while they are browsing that actual site (apart from Google who tracks you more or less wherever you go), however the past few years have revealed more and more ways web users can be tracked.

The concept of supercookies and ubercookies is not entirely new, but has been refined recently to turn them into digital cockroaches – very hard to permanently get rid of. Supercookies are basically an amalgamation of different software features that can be used to create a uniquely identifying token, usually one that is hard or too convoluted to delete. Now that HTML5 is becoming more widespread, there are even more options than before.

Modern supercookies comprise a number (or all) of the following:

  • Standard HTTP Cookies
  • Local Shared Objects (Flash Cookies)
  • Silverlight Isolated Storage
  • Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
  • Storing cookies in Web History
  • Storing cookies in HTTP ETags
  • Storing cookies in Web cache
  • window.name caching
  • Internet Explorer userData storage
  • HTML5 Session Storage
  • HTML5 Local Storage
  • HTML5 Global Storage
  • HTML5 Database Storage via SQLite

Samy Kamkar recently released Evercookie, a JavaScript API for creating extremely persistent browser cookies. The list above is what is what Evercookie uses to create them. If websites were to start using these techniques, they would be able to uniquely identify you (as a user, not a person) each time you visited, even if you deleted your cookies, cleared your cache, and removed your history (or used a private browsing feature). Due to the use of shared objects, such as Flash, some cookies are persistent even across different browsers!

Ultimately, I wouldn’t panic and stop surfing the web just yet, but this goes to show how the evolution of the browser (and countless plugins that now go with it) is having an effect on privacy and security (which can’t quite keep up the pace set by innovation). Dominic White describes how to delete the Evercookie when using Safari on OSX. Others have written about how to do the same on Firefox and Chrome. One reddit user has created a pseudo lockdown-script which improves the security and privacy of Firefox by making some configuration changes (eg. disabling prefetching, geolocation, caching, etc).

This post by Christopher Soghoian provides a good argument for why privacy (and security, I would add) should be adopted in web browsers by default, instead of letting users fend for themselves. Some browsers are making an effort by adding features such as private browsing, cross-site scripting protection, and Google SafeSearch (although this impacts privacy by sending Google every URL you browse to), however all too often browser plugins and add-ons are given too many privileges.

Browser security and user awareness are becoming more important than ever as traditional programs are phased out and replaced by web applications. Unfortunately both of these are still lagging a bit behind.

     - Standard HTTP Cookies
     - Local Shared Objects (Flash Cookies)
     - Silverlight Isolated Storage
     - Storing cookies in RGB values of auto-generated, force-cached
        PNGs using HTML5 Canvas tag to read pixels (cookies) back out
     - Storing cookies in Web History
     - Storing cookies in HTTP ETags
     - Storing cookies in Web cache
     - window.name caching
     - Internet Explorer userData storage
     - HTML5 Session Storage
     - HTML5 Local Storage
     - HTML5 Global Storage
     - HTML5 Database Storage via SQLite
css.php